Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
适用于 Amazon EMR Serverless 的 IAM 策略
使用控制台创建状态机时,Step Functions 会自动为状态机创建一个具有所需最低权限的执行角色。这些自动生成的IAM角色对 Amazon Web Services 区域 您在其中创建状态机的角色有效。
以下示例模板展示了如何根据状态机定义中的资源 Amazon Step Functions 生成 IAM 策略。有关更多信息,请参阅 集成服务的 IAM 策略 和 服务集成模式。
我们建议您在创建 IAM 策略时,不要在策略中包含通配符。作为安全最佳实操,应尽可能缩小策略范围。只有在运行时不知道某些输入参数时,才应使用动态策略。
此外,管理员用户在向非管理员用户授予运行状态机的执行角色时应谨慎行事。如果要自行创建策略,我们建议在执行角色中加入 passRole 策略。我们还建议在执行角色中添加 aws:SourceARN
和 aws:SourceAccount
上下文密钥。
EMR Serverless 与 Step Functions 集成的 IAM 策略示例
的 IAM 策略示例 CreateApplication
以下是带有状态的状态机的 IAM 策略示例。 CreateApplication Task
在您的账户中创建有史以来第一个应用程序时,您需要在 IAM 策略中指定 CreateServiceLinkedRole 权限。此后,便无需再添加此权限。有关信息 CreateServiceLinkedRole,请参阅 https://docs.aws.amazon.com/IAM/latest/APIReference/ CreateServiceLinkedRole中的。
以下策略的静态资源和动态资源相同。
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:CreateApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/*"
]
},
{
"Effect": "Allow",
"Action": [
"emr-serverless:GetApplication",
"emr-serverless:DeleteApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule"
]
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::{{accountId}}:role/aws-service-role/ops.emr-serverless.amazonaws.com/Amazon ServiceRoleForAmazonEMRServerless
*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "ops.emr-serverless.amazonaws.com"
}
}
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:CreateApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/*"
]
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::{{accountId}}:role/aws-service-role/ops.emr-serverless.amazonaws.com/Amazon ServiceRoleForAmazonEMRServerless
*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "ops.emr-serverless.amazonaws.com"
}
}
}
]
}
的 IAM 策略示例 StartApplication
静态资源
以下是当您使用带有状态的状态机时静态资源的 IAM 策略示例。 StartApplication Task
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:StartApplication",
"emr-serverless:GetApplication",
"emr-serverless:StopApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule
"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:StartApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]"
]
}
]
}
动态资源
以下是当您使用带有状态的状态机时动态资源的 IAM 策略示例。 StartApplication Task
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:StartApplication",
"emr-serverless:GetApplication",
"emr-serverless:StopApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule
"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:StartApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*"
]
}
]
}
的 IAM 策略示例 StopApplication
静态资源
以下是当您使用带有状态的状态机时静态资源的 IAM 策略示例。 StopApplication Task
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:StopApplication",
"emr-serverless:GetApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule
"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:StopApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]"
]
}
]
}
动态资源
以下是当您使用带有状态的状态机时动态资源的 IAM 策略示例。 StopApplication Task
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:StopApplication",
"emr-serverless:GetApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule
"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:StopApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*"
]
}
]
}
的 IAM 策略示例 DeleteApplication
静态资源
以下是当您使用带有状态的状态机时静态资源的 IAM 策略示例。 DeleteApplication Task
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:DeleteApplication",
"emr-serverless:GetApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule
"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:DeleteApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]"
]
}
]
}
动态资源
以下是当您使用带有状态的状态机时动态资源的 IAM 策略示例。 DeleteApplication Task
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:DeleteApplication",
"emr-serverless:GetApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule
"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:DeleteApplication"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*"
]
}
]
}
的 IAM 策略示例 StartJobRun
静态资源
以下是当您使用带有状态的状态机时静态资源的 IAM 策略示例。 StartJobRun Task
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:StartJobRun"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"[[jobExecutionRoleArn]]"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "emr-serverless.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"emr-serverless:GetJobRun",
"emr-serverless:CancelJobRun"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]/jobruns/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessJobRule
"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:StartJobRun"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"[[jobExecutionRoleArn]]"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "emr-serverless.amazonaws.com"
}
}
}
]
}
动态资源
以下是当您使用带有状态的状态机时动态资源的 IAM 策略示例。 StartJobRun Task
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:StartJobRun",
"emr-serverless:GetJobRun",
"emr-serverless:CancelJobRun"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"[[jobExecutionRoleArn]]"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "emr-serverless.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessJobRule
"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:StartJobRun"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"[[jobExecutionRoleArn]]"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "emr-serverless.amazonaws.com"
}
}
}
]
}
的 IAM 策略示例 CancelJobRun
静态资源
以下是当您使用带有状态的状态机时静态资源的 IAM 策略示例。 CancelJobRun Task
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:CancelJobRun",
"emr-serverless:GetJobRun"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]/jobruns/[[jobRunId]]"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessJobRule
"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:CancelJobRun"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]/jobruns/[[jobRunId]]"
]
}
]
}
动态资源
以下是当您使用带有状态的状态机时动态资源的 IAM 策略示例。 CancelJobRun Task
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:CancelJobRun",
"emr-serverless:GetJobRun"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessJobRule
"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:CancelJobRun"
],
"Resource": [
"arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*"
]
}
]
}